def rule(event):
    if all(
        [
            "REG" in event.deep_get("CommandLine", default=""),
            "ADD" in event.deep_get("CommandLine", default=""),
            "\\SOFTWARE\\Policies\\Microsoft\\FVE" in event.deep_get("CommandLine", default=""),
            "/v" in event.deep_get("CommandLine", default=""),
            "/f" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "EnableBDEWithNoTPM" in event.deep_get("CommandLine", default=""),
                    "UseAdvancedStartup" in event.deep_get("CommandLine", default=""),
                    "UseTPM" in event.deep_get("CommandLine", default=""),
                    "UseTPMKey" in event.deep_get("CommandLine", default=""),
                    "UseTPMKeyPIN" in event.deep_get("CommandLine", default=""),
                    "RecoveryKeyMessageSource" in event.deep_get("CommandLine", default=""),
                    "UseTPMPIN" in event.deep_get("CommandLine", default=""),
                    "RecoveryKeyMessage" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
